0

We've setup a process to manually sign our code using the SIGNTOOL from Microsoft. We generate our installation package using NSIS and it's time to start automating the code signing process as well as part of the NSIS scripts.

We do not use windows SDK for development so would prefer not making that a requirement for our developers. We have some people on Mac and Linux as well; anyone can make an installer and the installer maker is what will, hopefully, be signing the code automatically. We are using PFX files to sign the code.

So basically I'm trying to figure out, "how can I sign code without installing anything, except maybe one tiny file, so that it works on all three major OSes". Automating with NSIS is handled, but doing it without Windows SDK from any OS is not.

gunslingor
  • 1,358
  • 12
  • 34
  • Don't modern code signing processes usually involve a physical dongle? – David Heffernan Apr 15 '19 at 13:33
  • Mozilla have some instructions for using Mono to sign an exe on Linux/Mac. I haven't tried this: https://developer.mozilla.org/en-US/docs/Mozilla/Developer_guide/Build_Instructions/Signing_an_executable_with_Authenticode – Thomas K Apr 15 '19 at 19:21
  • You don't really want to give all developers access to your code signing certificate. Even if you trust them enough, there is always the risk of malware stealing your certificate. Solution: Set up a build server (e. g. Jenkins) that runs a code sigining task after your release builds. – zett42 Apr 15 '19 at 20:04

2 Answers2

0

Code Signing is a different process in all these OSes anyway so there is nothing common by definition. You must use the tools provided by the SDKs. The only common could be the certificate and this is also different in iOS/Android/Windows because MS/Google/Apple wants you to use their own root certs.

That said, you don't necessarily need the SDK to sign a file in Windows, there is a Signing API.

Michael Chourdakis
  • 10,345
  • 3
  • 42
  • 78
0

Signtool can be copied anywhere once you install Windows SDK. Simply copy the signtool.exe from "C:\Program Files (x86)\Microsoft SDKs\Windows\v8.0A\bin\" or equivalent and include it with your installation maker files as a utility.

The NSIS script can then use this exe to automatically sign the installer when operating on windows. When operating on a Mac, there would need to be a switch to use the codesign tool inherent on Mac's instead.

Signing of the uninstaller can be a little more complicated since it usually isn't generated until installation time; included for information only: https://nsis.sourceforge.io/Signing_an_Uninstaller

gunslingor
  • 1,358
  • 12
  • 34